Exchange Security

[kilt]

Hi everyone,
I've to set up Exchange 2000 on SBS Server 2000 & I'm very worried about security. Applying all latest patches/ hotfixes will help but I'm not sure if I should install the software on the samw drive as Win 2000 Server. Does it help installing it on a different partition? We're a small company so the Front-End / Back-End solution isn't viable, due to cost & time considerations, any suggestions? We will be using a Stateful Packet Inspection Hardware Firewall for added security.

Thanks In Advance,

Kilt

 

[gmcdonnell]

It's fine on the same partition. SMTP traffic will flow into the Exchange information store in any case.

Best thing you can do is to get an Exchange-aware antivirus package. These are not file level antivirus scanners - they use the Exchange Antivirus API. Examples include Symantec's Antivirus/Filtering product for Exchange and Sybari's Antigen.

Good luck!

Gary McDonnell

 

[compgirlfhredi]

You may want to check out this article. Knowledge is always a GOOD thing:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q304963&id=kb;en-us;Q304963

 

[neutec]

This attack's dastardly nature is worsened by the fact that the attack is mostly invisible unless you've turned on auditing for account-access events. The SMTP log that the Microsoft IIS SMTP component maintains doesn't record the use of SMTP AUTH, so you can't look for a sudden spike in the number of AUTH requests to indicate that you're under attack. Your first warning sign might be that your server starts getting waves of spam-generated nondelivery reports (NDRs). Fortunately, protecting your servers against this attack is a simple process.

First, make sure that your administrator accounts have strong, complex passwords with more than 15 characters that are a mix of letters, numbers, and symbols. (When a password has 16 or more characters, Windows can't locally store the password's easily-cracked LM hash.) Other user accounts also should have complex passwords, but protecting your privileged accounts against brute-force password guessing is especially important.

Second, if you don't allow relaying, consider turning it off completely on all external-facing servers. If you do allow relaying, I suggest you reconsider your decision. For example, if you allow relaying to support external POP users, consider whether you could accomplish this task another way (e.g., by using the users' ISPs).

Third, consider disabling both basic and Windows integrated authentication on any SMTP virtual server that faces the Internet.
Doing so prevents password-guessing attacks, but it also prevents users from authenticating before sending email. If you must leave this feature enabled, make sure that you also enable account-object auditing and regularly monitor the Windows event logs for long series of event ID 528, which failed logon attempts generate.

Fourth, if you use an Intrusion Detection System (IDS), configure it to watch for failed SMTP authentication requests (i.e., tell it to look for the text "535 5.7.3 Authentication unsuccessful" at offset 54 in packets on TCP port 25). This warning will alert you to an attempted attack.

 

[kilt]

Thanks for the replies folks. Neutec you've given me some tips that I would have found hard to come by - cheers.

Kilt

 

[compgirlfhredi]

Password: MDFBWOOTHDOMLI1953

ie: the phrase which is personal to you--
"My daughters first birthday was one of the happiest days of my life in 1953"

Take the first letter of every word. If they can crack this in 10 trys, more power to them, but chances are they will give up first.